Windows LAPS is also referred to as Windows Local Administrator Password Solution which is a new feature that allows System Administrators to secure and protect local administrator passwords on domain PCs. More specifically, if you ever needed to recover a device and wished you could log in with a local administrator account in an AD or AAD environment, bingo!
Here is an article created on Microsoft LAPS (Legacy LAPS) by Gary Williams. You can still use this solution in an Emulation mode while you prepare to migrate to the improved Windows LAPS.
Windows LAPS inherits many design concepts from legacy Microsoft LAPS. If you're familiar with legacy Microsoft LAPS, many Windows LAPS features are familiar. A key difference is that Windows LAPS is an entirely separate implementation that's native to Windows. Windows LAPS also adds many features that aren't available in legacy Microsoft LAPS. You can use Windows LAPS to back up passwords to Azure Active Directory, encrypt passwords in Windows Server Active Directory, and store your password history.
Here is the link to the original article that I have written. I recommend taking a look at it as it is more comprehensive with some troubleshooting links added on possible errors you might encounter while setting up windows LAPS: https://techdirectarchive.com/2023/05/02/how-to-configure-windows-laps/. Also, we wrote on how to configure Windows LAPS with Microsoft Intune.
If your domain is configured below 2016 Domain Functional Level (DFL), you can't enable Windows LAPS password encryption period. In this scenario clients can only be configured to store passwords in clear-text (secure by Active Directory ACLs), and DCs managing their local DSRM account.
Importance of Implementing LAPS
Windows LAPS regularly rotate and manages local administrator account passwords. LAPS help protects against pass-the-hash and lateral-traversal attacks.
Furthermore, it supports the Azure role-based access control model for securing passwords stored in Azure Active Directory.
Windows Support for LAPS
The April 11, 2023 Security update (KB5025229/KB5025230) update implements the new Windows Local Administrator Password Solution (LAPS) as a Windows inbox feature. The updated version uses attributes in the Active Directory (AD) and introduced new PowerShell cmdlets for the administration of LAPs.
Supported Editions
The new LAPS capabilities are available to the following Windows Edition having installed the April 11, 2023 security update.
- Windows 11 Pro, EDU, and Enterprise
- Windows 10 Pro, EDU, and Enterprise
- Windows Server 2022 and Windows Server Core 2022
- Windows Server 2019
LAPS Capabilities in an AD environment
Here are some new features available for LAPS which were not previously available with the Microsoft LAPS on-premises:
- This feature has brought in some improvements for password encryption.
- Enables you to log back in time to have backup images restored. The Password History Group Policy Object enables you to specify how passwords are kept in Active Directory.
- This helps keep your domain controllers secure by rotating these critical recovery passwords on a regular basis for Directory Services Restore Mode (DSRM) password backups.
- The Emulation mode will be beneficial if you wish to continue using the older LAPS policy settings and tools while preparing to migrate to the new improved LAPS.
- The newly improved LAPS will rotate passwords automatically when the account is used.
LAPS supports Azure AD as well but currently in the Private preview.
Windows LAPS does not use the “ms-Mcs-AdmPwd” and “ms-Mcs-AdmPwdExpirationTime” attributes. Rather, it uses the “msLAPS-Password”, “msLAPS-EncryptedPasswordHistory”, “msLAPS-EncryptedPassword”, “msLAPS-EncryptedDSRMPassword”, msLAPS-EncryptedDSRMPasswordHistory, and the “msLAPS-Password-ExpirationTime”.
Configure LAPS on Windows
If you do not have the right updates required by Microsoft, you will get an error when running the command to update the LAPSADSchema.
Update-LapsAdSchema
Kindly launch PowerShell as an administrator. The Update-LapsADSchema cmdlet adds the schema attributes to the directory it is a one-time operation for the entire forest.
Update-LapsAdSchema
Verify that the updates were applied correctly by running the following command “Update-LapsAdSchema -verbose
Lastly, verify the Active Directory schema extension by opening a computer object in the Active Directory
Grant the managed device permission to update its password. This is achieved by setting the inheritable permissions on the Organizational Unit (OU) the computer objects are in. The Set-LapsADComputerSelfPermission
is used for this purpose. For me, this is a test environment. I will create an OU called “TechDAComputers” for this test and move some computer objects into it.
The next step is optional! Please Remove Extended Rights permissions from the OU. You do not want to grant the ability to read confidential attributes on Windows LAPS password attributes marked as to non-domain admins. For me, this is a newly created Ou and this issue isn’t present.
If this is not the case for you and you wish to grant certain users or groups access, you could use the cmdlets to do this.
Copy LAPS.admx file to the Central Store
There are lots of reasons to manage your policies via the Central Store. The Central Store is a file location that is checked by the Group Policy tools by default. The Group Policy tools use all . admx files that are in the Central Store. The files that are in the Central Store are replicated to all domain controllers in the domain
Windows installs LAPS.admx under %systemroot%\PolicyDefinitions
as shown below. If you use a Central Store for the administrative templates, you have to copy the new LAPS version there first. Please see this article on how to create the central store for Group Policy Administrative Templates.
Note: You must copy the corresponding LAPS.adml file as well. Else, you will get the following error.
Create the LAPS GPO
Windows LAPS includes a new Group Policy Object that you can use to administer policy settings on Active Directory. To access the Windows LAPS Group Policy, launch the Group Policy Management, and create a new GPO. There are various ways to achieve this! Here is another fantastic tool for managing GPO “AGPM”. It is part of Microsoft Desktop Optimization Pack (MDOP) suite (portfolio) of technologies available to Software Assurance customers through an additional subscription.
Edit the newly created LAP Policy and follow the next step below.
Navigate to LAPS Settings as shown below
Computer Configuration > Policies > Administrative Templates > System > LAPS
At a minimum, you must configure the BackupDirectory setting to backup passwords to Azure Active Directory. If you don't configure the AdministratorAccountName setting, Windows LAPS defaults to managing the default built-in local administrator account. This built-in account is automatically identified by its well-known relative identifier (RID) and should never be identified by name. The name of the built-in local administrator account varies depending on the default locale of the device.
If you want to configure a custom local administrator account, you should configure the AdministratorAccountName setting with the name of that account.
Configured Policies
Unfortunately, I cannot show you all these steps as they are a bit too basic and straight forward. Below are the configured Settings.
Link LAPS GPO
You can move the LAPs GPO by clicking on it and dragging it to the right OU.
By default, these updates are applied every 90 minutes. To us, this is like forever, and we want these policies to be applied immediately. Please see Group Policy GPUpdate Commands: GPUpdate, GPUpdate/force, LogOff, Boot, Wait, and Sync. Proceed to the Workstation and run the gpupdate
command on the Client PC.
Demo 1: Retrieve LAPS password via the ADUC
Open Active Directory User and Computer, and double-click on the computer account you want to retrieve the password.
- If the Computer in question does not have the right updates, LAPS will not be able to manage the Local Admin account and password.
Demo 2: Retrieve LAPS Password via PowerShell
The cmdlet Get-LapsADPassword
will be used to reveal the LAPS password. Add the parameter -AsPlainText
There a quite a few LAPS Module for PowerShell has been included by default. Please use the command to list them “Get-Command -Module LAPS”.
LAPS Event
Windows LAPS processes the currently active policy on a periodic basis (every hour) and responds to Group Policy change notifications. Take a look at the event log here: Application and Service Logs -> Microsoft -> Windows -> LAPS -> Operational.